Twitter turns on HTTPS to counter hackers

The social-networking service is giving users the option of always encrypting their web sessions, to prevent cookie-sniffing and impersonation
Written by Tom Espiner, Contributor

Twitter has turned on an encryption setting designed to thwart session-cookie hijacking and impersonation of users of the social-networking service.

People who view Twitter via the web can now do so using HTTPS by default, if they choose the setting in their account, the company said in a blog post on Tuesday. The technology, used in e-commerce and banking to protect web sessions, is based on the SSL/TLS web encryption protocol.

Twitter web page

Twitter is to offer users an HTTPS default connection when they access the social-networking site via the web. Photo credit: pixelbully

"Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections," the company said. Previously, people could browse Twitter using the encryption technology, but they had to log into a specific HTTPS version of the site.

To turn on the encryption for every session, Twitter users can go to 'Settings' and tick the 'Always use HTTPS' box. In introducing the security feature, Twitter is following a number of services, such as Facebook, which began offering an HTTPS option in January.

Initiating HTTPS makes it difficult for people to steal Twitter-session cookies to impersonate other people, security company Sophos said in a blog post on Wednesday.

Using HTTPS for your favourite internet services is particularly important when using them over unsecured Wi-Fi connections.
– Twitter

Twitter uses a cookie to identify the user in a particular session. If a user logs in via unencrypted Wi-Fi, hackers can sniff the cookie and use it to pretend to be the user — something they have done to Ashton Kutcher and a number of other celebrities, according to Sophos.

Hackers can use a Firefox browser plug-in called Firesheep to automatically intercept cookies sent over unsecured Wi-Fi, the security company added.

"The Firesheep problem is the biggest concern," Graham Cluley, senior technology consultant at Sophos, told ZDNet UK. "It's out in the hands of anybody, and it's very easy to hijack account sessions."

Cluley noted that Twitter has not enabled default HTTPS for mobile access, but that some third-party mobile Twitter apps have.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards